Transcription

1 Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday s security practices to combat today s threats. Financial Services Key findings from The Global State of Information Security Survey 2014 April 2014

2 Compliance is not enough as threats advance faster than security. The results of The Global State of Information Security Survey 2014 show that financial services companies are spending more on information security than ever before and have improved many of their security practices. Our research indicates that regulatory compliance is still a significant driver of security spend in the industry. Yet incidents continue to occur as a result of unprecedented attacks, ranging from distributed denial of service to advanced persistent threats (APTs). Why is this happening? We believe most organizations are defending yesterday, even as their adversaries exploit the threats of tomorrow. 38% of financial services respondents say complex, rapidly evolving, and sophisticated technologies such as high-frequency trading systems pose a significant challenge for the future success of their organization s information security. 2

3 A global, cross-industry survey of business and IT executives The Global State of Information Security Survey 2014, a worldwide study by, CIO magazine, and CSO magazine, was conducted online from February 1, 2013 to April 1, s 16th year conducting the online survey, 11th with CIO and CSO magazines Readers of CIO and CSO magazines and clients of from 115 countries More than 9,600 responses from executives including CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business Thirty-nine percent (39%) of respondents from companies with revenue of $500 million+ Thirty-six percent (36%) of respondents from North America, 26% from Europe, 21% from Asia Pacific, 16% from South America, and 2% from the Middle East and Africa Survey included 993 respondents from the financial services industry Margin of error less than 1%; numbers may not add to 100% due to rounding 3

5 The share of IT budget has held steady, but as overall IT spending has increased, security budgets have also expanded. As illustrated below, security s share of IT spend has held constant at approximately 3.5% in recent years. As overall IT budgets have recovered from post-financial crisis lows, however, spending on information security has increased in tandem. Percent of IT budget spent on security 3.9% 3.3% 3.5% 3.6% 3.5% Question 7: What is your organization's total information technology budget for 2013? Question 8: What is your organization s total information security budget for 2013? 5

6 Financial services respondents are detecting significantly more security incidents.* The average number of detected incidents increased by 169% over last year, evidence of today s elevated threat environment and perhaps respondents improved ability to identify incidents. Average total financial losses have increased significantly over 2012, which is not surprising given the cost and complexity of responding to threats. Average number of security incidents in past 12 months 4,628 1,957 1,720 Do not know 8% Do not know 15% Do not know 18% * A security incident is defined as any adverse incident that threatens some aspect of computer security. Question 18: What is the number of security incidents detected in the past 12 months? Question 22A: Estimated total financial losses as a result of all security incidents. 6

9 Insiders, particularly current or former employees, are cited as a source of security incidents by most financial services respondents. It s the people you know current and former employees, as well as other insiders who are most likely to perpetrate security incidents. Estimated likely source of incidents (insiders) Employees Current employees 33% Former employees 25% Trusted advisors Current service providers/consultants/contractors 18% Former service providers/consultants/contractors 12% Suppliers/business partners 12% Information brokers 9% Question 21: Estimated likely source of incidents (Not all factors shown.) 9

10 Respondents have not fully implemented technologies and processes that can provide insight into today s risks. Security safeguards that monitor data and assets are less likely to be in place than traditional block and tackle security. The types of tools below behavioral profiling and safeguards against APTs, in particular can provide ongoing intelligence into ecosystem vulnerabilities and dynamic threats. Security safeguards currently in place 46% 55% 58% 58% 61% 65% 66% 74% Behavioral profiling and monitoring Protection/ detection solution for APTs Security information and event management technologies Use of virtualized desktop Data loss prevention tools Assetmanagement tools Centralized data store Active monitoring/ analysis of security intelligence Question 14: What process information security safeguards does your organization currently have in place? Question 15: What technology information security safeguards does your organization currently have in place? (Not all factors shown.) 10

11 As they work to upgrade their defenses against cyber attacks, financial institutions should focus on these key areas: Prioritize and protect the critical information storage / transactions s 2014 GSISS survey indicates that only 24% of financial services respondents classify the business value of data. Financial institutions will need better processes for the inventory, assessment, and valuation of the organization s data to prioritize the defense of these data assets. These priorities, in turn, determine the appropriate allocation of the organization s resources. Harness the power of collaboration According to GSISS 2014, 55% of financial services respondents say they collaborate with others to improve security. However, many still resist sharing data with outsiders, because they do not want to draw attention to their own weaknesses. What is Disconnected threat intelligence in a noisy environment, due to disjointed and insufficient data and analysis techniques. and what should be A robust threat analysis capability built on shared intelligence, data, and research. While these concerns are legitimate, the threat intelligence that can be gathered and shared from collaboration with law enforcement, federal agencies, and other private partnerships often prove invaluable in enabling financial institutions to gain insight into emerging threats. Develop a robust threat analysis capability Most institutions threat analysis efforts suffer because they inhabit a disjointed environment that is spread across several functions, physical locations, and systems. In our view, institutions should establish a robust threat analysis capability that is built on shared intelligence, data, and research from internal and external sources. This capability should address: Governance and operations the roles and responsibilities that various security functions have, and how they should interact. Collaborative analysis processes for digesting internal data and external threat intelligence feeds. Analytics tools investment in big data technologies to enhance monitoring of security threats and improve fraud detection across business lines. Operational Groups Physical Locations Open Source Communication protocols processes for disseminating actionable intelligence across the organization, enabling security functions to prevent, detect, and respond to threats. IT Systems & Tools Individuals Other 11

13 More money and an actionable vision are needed to overcome obstacles to advancing security. This is critical because effective security requires an adequate budget that is aligned with future business needs, as well as the support of top executives. Greatest obstacles to improving the strategic effectiveness of the company s IS function Insufficient capital expenditures Lack of an actionable vision or understanding of how future business needs impact information security Absence or shortage of in-house technical expertise Poorly integrated or overly complex information and IT systems 24% 24% 23% 22% Leadership: CEO, President, Board, or equivalent Lack of an effective information security strategy Insufficient operating expenditures Leadership: CISO, CSO, or equivalent Leadership: CIO or equivalent 19% 19% 18% 16% 16% Question 28: What are the greatest obstacles to improving the overall strategic effectiveness of your organization s information security function? 13

14 Leading security practices for financial services companies. Security is a board-level business imperative Advance your security strategy and capabilities. Board and CEO drive security governance. Strong multi-party governance group should manage security risk. An integrated security strategy should be a pivotal part of your business model; security is no longer simply an IT challenge. You should understand the exposure and potential business impact associated with operating in an interconnected global business ecosystem. Security risks are operational risks and should be reviewed regularly by the board. Strong support and communication from the board and CEO can break down traditional silos, leading to more collaboration and partnerships. An executive with direct interaction with the CEO, General Counsel and Chief Risk Officer should lead security governance. Security governance group should include representatives from legal, HR, risk, technology, security, communications, and the lines of business. The cybersecurity governance group should meet regularly (monthly or quarterly) to discuss the current threat landscape, changes within the organization that impact risk levels, and updates to remediation programs and initiatives. Security threats are business risks Security program is threatdriven and assumes a continuous state of compromise. Ensure cooperation among third parties. Security risks are among the top 10 operational risks. Adopt the philosophy of an assumed state of compromise, focusing on continuous detection and crisis response in addition to traditional IT security focus of protection and mitigation. Security risks include theft of intellectual property, attacks on brand, and social media. You should anticipate threats, know your vulnerabilities, and be able to identify and manage the associated risks. Focus on your adversaries: who might attack the business and their motivations. Proactively make certain that suppliers, partners, and other third parties know and agree to adhere to your security practices. 14

15 Leading security practices for financial services companies (cont d). Protect the information that really matters Identify your most valuable information. Know where these crown jewels are located and who has access to them. Allocate and prioritize resources to protect your valuable information. Establish and test incident-response plans Incident response should be aligned at all levels within the organization. Security incident response should be tested using real-world scenarios. Incident response should integrate technical and business responses. Response is aligned at all levels by integrating the technical response (led by IT) and business response (led by business with input from legal, communications, the senior leadership team, and HR). Improve planning and preparedness through table-top simulations of recent industry events and likely attack scenarios. Frequently conduct table-top simulations. Response to various attack scenarios and crisis should be pre-scripted in a play book format. Gain advantage through Awareness to Action Security is driven by knowledge, an approach we call Awareness to Action. All activities and investments should be driven by the best-available knowledge about information assets, ecosystem threats and vulnerabilities, and business-activity monitoring. Organizations should create a culture of security that starts with commitment of top executives and cascades to all employees. Organizations should engage in public-private collaboration with others for enhanced threat intelligence. 15

17 For more information, please contact: Financial Services IT Security & Risk Contacts Joe Nocera Principal Shawn Connors Principal Andrew Toner Principal Christopher Morris Principal Or visit to explore the data and benchmark your organization. The Global State of Information Security is a registered trademark of International Data Group, Inc PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.

www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

www.pwc.com/cybersecurity Cybersecurity Briefing June 25, 2014 The views expressed in these slides are solely the views of the presenters and do not necessarily reflect the views of the PCAOB, the members

www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped

Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015 It will come as no surprise to most financial services executives that information security

Escalating concern over cyber threats has CEOs warming to government collaboration 2015 US CEO Survey Leading in extraordinary times With cyber attacks the new normal in business, CEOs from the biggest

Cyber threat intelligence and the lessons from law enforcement kpmg.com/cybersecurity Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many

Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au Cyber attack is one of the biggest threats to Australian businesses, however many Chief Executive Officers (CEOs) admit a lack

Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

Cyber Security Evolved Aware Cyber threats are many, varied and always evolving Being aware is knowing what is going on so you can figure out what to do. The challenge is to know which cyber threats are

www.pwc.com/cybersecurity US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey July 2015 About the 2015 US State of Cybercrime Survey The 2015 US State of Cybercrime

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

Building Blocks of a Cyber Resilience Program Monika Josi monika.josi@safis.ch About me Chief Security Advisor for Microsoft Europe, Middle East and Africa providing support to Governments and CIIP until

White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC, haved teamed to provide a comprehensive solution for protecting your company s property and reputation from the unprecedented

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:

Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for

Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com 1 Cyber security: Are consumer companies

3 10 15 23 Point of view Competitive intelligence A framework for response How PwC can help 26 Appendix Threat smart: Building a cyber resilient financial institution - an East Cluster perspective Executive

Secure by design: taking a strategic approach to cybersecurity The cybersecurity market is overly focused on auditing policy compliance and performing vulnerability testing when the level of business risk

ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial

DATA SHEET Security Awareness Training Solutions A guide to available Dell SecureWorks services At Dell SecureWorks, we strive to be a trusted security advisor to our clients. Part of building this trust

Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Healthcare payers Technology is not the only agent of change. Innovations

10Minutes on the stark realities of cybersecurity The Cyber Savvy CEO Highlights Business leaders must recognise the exposure and business impact that comes from operating within an interconnected global

April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies

Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity

defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015 organizations tend to have comparatively robust and mature cybersecurity programs.

INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015